search

ublue-os / config

A layer to provide configuration files (udev rules, service units, etc)
https://universal-blue.org
Apache License 2.0
45 stars 28 forks source link

refactor: Rewrite luks tpm2 script. #302

Closed m2Giles closed 3 months ago

m2Giles commented 3 months ago

The previous version of the tpm2 script did not fail out when encountering unsupported configurations. This script is narrowly focused at enabling tpm2 decryption for root devices. By default we expect this to be configured via the installer.

This script will now fail out if it cannot find the disk. The disk is determined via the kernel commandline instead of /etc/crypttab. It still only supports a single disk. It now also provides hints on why the script has failed and the commands to run to disable and/or enable.

Thank you for contributing to the Universal Blue project!

Please read the Contributor's Guide before submitting a pull request.

m2Giles commented 3 months ago

This only supports single disk decryption.

If we want to support multi-disk decryption. We can instead parse the output of lsblk.

For example lsblk -o NAME,TYPE -n -i -r | tr ' ' '='

bsherman commented 3 months ago

This only supports single disk decryption.

If we want to support multi-disk decryption. We can instead parse the output of lsblk.

For example lsblk -o NAME,TYPE -n -i -r | tr ' ' '='

I really like the current changes... much better parsing the cmdline vs the crypttab.

I do think multi-disk should definitely be a distinct PR/feature... as this current handles a default (recommended) install method.